Hello,
I have Comcast as my ISP and am seeing a large amount of "reverse path check failed, drop" messages. I believe it because there is a rogue device on the Comcast side that is spewing IPv6 at the WAN interface. I understand it is due to anti-spoofing but was hoping there is a way to just drop it. The exact log message looks like this:
"10 27 2015 07:30:29 10.0.1.1 <LOC7:WARN> date=2015-10-27 time=07:25:01 devname=FortiGate devid=FWF60D logid=0000000006 type=traffic subtype=forward level=warning vd=root srcip=2001:558:4082:38::1 srcname="2001:558:4082:38::1" srcintf="wan1" dstip=ff02::1:ff1a:4566 dstname="ff02::1:ff1a:4566" dstintf=unknown-0 proto=58 action=deny policyid=0 dstcountry="Reserved" srccountry="United States" trandisp=noop service="icmp6/135/0" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 msg="reverse path check failed, drop"
Is there a way to drop this message without logging it? I want to log other invalid IPv4 packets but just not this IPv6 stuff. Any ideas?
TIA, Joe
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
A suggestion, can you write a local-in policy6 for this source or dest { ff02::1:ff1a:4566 } and drop it?
(e.g assuming you have a group with all of the offenders listed and the host added in )
config firewall address6
edit badhost1
set ip6 2001:558:4082:38::1/64
end
config firewall addrgrp6
edit OFFENDER_GROUP
set member badhost1
set comment " my bad guy lists"
set color 32
end
and
config firewall local-in-policy6 edit 0 set srcaddr OFFENDER_GROUP set dstaddr all set action deny set service ALL set schedule always set comment " drop these src ipv6 address SOCPUPPETS" end
I believe traffic dropped at the local-in-policy6 would overrride any logging. Test this behavior and see if it meets your goal and requirements.
What is the ipv6 address on your WAN & LAN interfaces? And you do know that's a ipv6 multicast dst_address ?
PCNSE
NSE
StrongSwan
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1546 | |
1030 | |
749 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.